[Video] What is GDPR and how does it affect the industry?

These insights came from a recent interview we held with Chantal Bernier, National Leader for Privacy and Cybersecurity at Dentons. You can find a link to the full interview at the end of this article.

What is GDPR?

GDPR stands for General Data Protection Regulation and will replace all existing national European privacy laws. When coming into force on May 25th, 2018, all domestic and national privacy laws in Europe will be aggregated and replaced by the GDPR, which essentially creates a new regime for the protection of privacy in Europe. It is worth noting that the GDPR allows for no grace period, so anyone affected by it needs to be ready for the May 25th deadline.

Why do North American companies need to get behind a European regulation?

To quote Brad Smith, President and Chief Legal Officer at Microsoft: “If you’ve ever heard of Europe, it applies to you”.

Considering the web does not have any boundaries, a European user can very well access a North American website at any given time. It is the location of the user and not the origin of the website that determines the application of the GDPR. Given that, everyone with a European audience needs to comply with the regulation.

How will the regulation affect publishers and advertisers based in Canada and the US?

Just like the Internet, publishers and advertisers who work online do not know boundaries. So clearly, publishers, advertisers, and marketers should get ready for GDPR.

Publishers are the ones that have the highest level of responsibility in this matter because they are the first interface with the users. Users go and search websites and will be targeted by ads throughout their browsing experience, but the first interaction they have is with the website itself. And so, publishers need to set the right tools for that interaction to abide by the rules of GDPR.

As publishers are the ones who perceive the information on the user, they have to determine how it will be used. Advertisers, in turn, must comply with the publisher’s conditions.

What steps do advertisers and publishers need to take to ensure they are compliant with GDPR?

Before we dig into some of the steps, please note that this is not meant to be an exhaustive list of recommendations and publishers and advertisers should definitely get counsel from their legal expert to ensure compliance with GDPR.

The first step is to review all of their operations, modalities and data collecting activities in relation to GDPR, primarily ensuring that all consent forms are appropriate. To be clear, this means: is there any collection of personal information that should be subject to a higher level of consent?

The second step is clarifying privacy policies, as consent from the user has to be informed. A clear privacy policy does not need to be long, it has to be concise.

One good way to do it is to break it down; first, show a short pop-up to say something along the lines of “we collect cookies, cookies recognize your computer’s IP address, we won’t share it with anyone, are you ok with this?”. Then, the user can click “yes”, or “learn more” and be redirected to the privacy policy page.

The last step for publishers is to look at their contract with their advertisers and vendors. This implies making sure the advertisers and vendors are compliant and ensuring that there is no data leakage or misusage, to provide a structure on their platform that is GDPR compliant.

To who should publishers and advertisers reach out to know what their next steps are?

Anyone working towards being GDPR compliant needs a lawyer who is an expert in this area specifically and who will perform a gap analysis between their actual practices and what the GDPR requires. Once that gap analysis is done, the lawyer will provide changes to be made to the existing company policies and practices.

There may also be technological updates that need to be implemented. That can be done by a data security expert or an in-house IT person. For example, if a company doesn’t have the mechanisms to give users access to data * , they need someone internal or external to build those mechanisms. The IAB provides a list of registered Consent Management Platforms (CMPs) here.

*One of the rights GDPR gives to the user is the right to access personal information collected on them by any company.

How does this regulation impact the consumer?

One of the central objectives of GDPR is to empower the individual and provide them with greater mechanisms to access the personal information that an organization or company collects on them, but also clearly understand how this data is being collected and used.

As such, the GDPR requires that the data collected be stored only for the minimal period of time necessary and be used only for the purpose that was agreed to by the user.

GDPR also entitles the user to the right to correction. So, in a case of misrepresentation or inaccurate information, the user has the right to have this information rectified.

Finally, users also have the right to be forgotten. If through the passage of time or due to a change in context, the information collected about a user is no longer accurate, the user can ask the publisher to erase that information.

Watch the full interview with Chantal Bernier, National Leader for Privacy and Cybersecurity at Dentons here!

Watch the full interview with Chantal Bernier, National Leader for Privacy and Cybersecurity at Dentons below